@sskaje

Tag: vyos

  • VyOS Set up Port Forwarding for PPPoE to LAN

    Set up PPPoE(WAN) :8022 to LAN host 1921.68.1.119:22

    WAN and LAN are firewall zones.

    Step 1, DNAT

    set nat destination rule 11000 destination port '8022'
set nat destination rule 11000 inbound-interface name 'pppoe0'
set nat destination rule 11000 log
set nat destination rule 11000 protocol 'tcp'
set nat destination rule 11000 translation address '192.168.1.119'
set nat destination rule 11000 translation port '22'

    Step 2, Firewall

    show firewall zone-policy to get firewall policy from WAN to LAN, in my case WAN_IN.

    
set firewall ipv4 name WAN_IN rule 100 action 'accept'
set firewall ipv4 name WAN_IN rule 100 destination address '192.168.1.119'
set firewall ipv4 name WAN_IN rule 100 destination port '22'
set firewall ipv4 name WAN_IN rule 100 protocol 'tcp'

    No need to set WAN_LOCAL

  • VyOS-1x build script on VyOS

    Put vyos/vyos-1x code to /config/build/vyos-1x

    Script as /config/build/build.sh

    #!/bin/sh


cat << 'EOF' > /etc/apt/sources.list.d/debian.sources
Types: deb deb-src
URIs: https://mirrors.tuna.tsinghua.edu.cn/debian
Suites: bookworm bookworm-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb deb-src
URIs: https://mirrors.tuna.tsinghua.edu.cn/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOF


podman pull docker.io/vyos/vyos-build:current

mkdir -p /config/build
cd /config/build

rm -f /config/build/vyos-1x-* /config/build/vyos-1x_*

chown -R vyos: /config/build
chmod 777 /config/build

podman run --rm -it --privileged --network host -v /config/build:/vyos -w /vyos/vyos-1x vyos/vyos-build:current dpkg-buildpackage -uc -us -tc -b


dpkg -i vyos-1x_1.5dev0-*_amd64.deb

systemctl restart vyos-configd

chown -R vyos: /config/build
chmod 777 /config/build

  • VyOS Debug PBR & NAT

    As ROOT.

    Keyword: nftrace

    Edit VyOS generated NFT files: /run/nftables*.

    Enable nftrace on full chain 

    table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        meta nftrace set 1
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }
}

    Make sure nftrace is enabled before other rules!

    Enable nftrace on SINGLE RULE.

    table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }

    chain VYOS_PBR_UD_MY_PBR_RULES {
        ip saddr  @A_SRC_HIJACK_MITMPROXY counter meta mark set 2147483628 meta nftrace set 1 return comment "ipv4-route-ROUTE_CLASH_TUN-50"
    }
}

    Test & Apply

    # Test
nft --check --file /run/nftables_policy.conf
# Apply
nft --file /run/nftables_policy.conf

    Monitor

    nft monitor trace

    Example Result

    trace id 0abb78f9 ip vyos_mangle VYOS_PBR_PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_conntrack PREROUTING_HELPER packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip raw VYOS_TCP_MSS packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 inet mangle FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip protocol udp ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_FORWARD_filter packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_ZONE_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip nat VYOS_PRE_SNAT_HOOK packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001

  • VyOS 实现LAN 流量劫持

    以前 EdgeRouter 时代,使用的是 DNAT + redsocks + charles/mitmproxy 实现的流量劫持和分析,比较麻烦的点是,redsocks的配置文件需要维护,服务需要重启,每次系统升级(虽然好多年没升级了)都需要重装 redsock,所以当时搞了一套初始化脚本,脱离config tree自动安装deb,自动加载配置,自动symlink配置文件。

    换到 VyOS 之后,本来也想搞这一套,被研发打回来了,他们不接受过分灵活的config tree,让我用 container。

    新方案用 hev-socks5-tunnel,直接把流量转给另外一台主机上的mitmproxy。charles proxy也可以用同样的方法配置

    开 mitmweb,方便web看数据

    mitmweb --web-host 0.0.0.0 --mode socks5 --listen-port 8889

    下列命令创建container,配置PBR

    set container name tun2socks allow-host-networks
set container name tun2socks capability 'net-admin'
set container name tun2socks device dev-net-tun destination '/dev/net/tun'
set container name tun2socks device dev-net-tun source '/dev/net/tun'
set container name tun2socks environment CONFIG_ROUTES value '0'
set container name tun2socks environment IPV4 value '198.51.100.1'
set container name tun2socks environment LOG_LEVEL value 'debug'
set container name tun2socks environment MTU value '8500'
set container name tun2socks environment SOCKS5_ADDR value '192.168.11.19'
set container name tun2socks environment SOCKS5_PORT value '8889'
set container name tun2socks environment SOCKS5_UDP_MODE value 'udp'
set container name tun2socks environment TUN value 'tun9'
set container name tun2socks image 'ghcr.io/heiher/hev-socks5-tunnel:latest'


set protocols static table 19 description 'route to mitmproxy'
set protocols static table 19 route 0.0.0.0/0 interface tun9

set policy route PBR   interface 'eth2'
set policy route PBR rule 50 set table '19'
set policy route PBR rule 50 source group address-group 'SRC_HIJACK_MITMPROXY'


# firewall rules ...

    防火墙规则需要自己搞定,按需NAT。

    nftables 不支持 ipset 那样动态操作成员了,只能在config tree里维护。

    这个方法和以前一样,只能去分析 TCP 协议。如果有 UDP 的需求可以尝试 WireGuard 的方式。

  • VyOS Debug DHCP Server

    Add following to /usr/share/vyos/templates/dhcp-server/kea-dhcp4.conf.j2, node under .Dhcp4

        "loggers": [
      {
        "name": "kea-dhcp4",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp4.dhcpsrv",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4-dhcpsrv.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp4.leases",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4-leases.log",
            "maxver": 10
          }
        ]
      }
    ],

    Restart VyOS configd

    systemctl restart vyos-configd

    Update config in configure mode.

    View files under /var/log/kea

  • 北京联通猫棒 IPTV

    故事背景:家里拉了很多年的千兆,这两年才从 FTTB 换成 FTTH。但是之前买的千兆套餐不送 IPTV 了,而光改的时候,联通的工作人员帮我改了桥接,但是所有口都绑定了 Internet。现在开通IPTV需要初装费,还要月费,所以我就没开通。本来是不想折腾的,因为实在没空,但是被催了好久猫棒的事情,所以就临时下了个单,花了一天做了些实验。

    (more…)